-
Notifications
You must be signed in to change notification settings - Fork 72
/
Copy pathLOGGING
123 lines (80 loc) · 3.94 KB
/
LOGGING
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
LKRG remote logging
===================
LKRG supports optional remote kernel message logging. Once enabled, this logs
not only messages generated by LKRG, but also all other kernel messages.
The sending component is in the LKRG kernel module itself, whereas the
receiving and logging counterpart is in a userspace daemon. There are also
additional userspace utilities.
Transport security
------------------
We currently use a one-way TCP stream, with transport security provided by our
usage of libhydrogen (bundled in here). libhydrogen is "built using just two
cryptographic building blocks: the Curve25519 elliptic curve, and the Gimli
permutation." It implements a number of Noise protocol handshake patterns, out
of which we currently use the most trivial one, "N".
As long as the server's secret key is not compromised, this protects
confidentiality and integrity of messages. While our usage of a one-way TCP
stream (a write-only socket) is a great way to limit LKRG's remote attack
surface, it precludes implementation of forward secrecy, so a compromised
secret key can unfortunately be used to decrypt past sessions.
Replay protection is partial - messages from the middle of a (current or past)
TCP connection cannot be replayed on their own (won't be accepted by the
receiver even if the TCP layer is tricked to accept them), but an entire TCP
connection or its starting portion can be.
There's no explicit server authentication since the communication on top of TCP
is one-way, however security against a spoofed/MITM server is achieved through
the client only encrypting to the correct server's pre-configured public key.
There's currently no explicit client authentication (a major shortcoming to be
addressed), but only clients with knowledge of the server's public key can send
messages that would be accepted by the server.
How to use
----------
Please refer to the section "Remote logging configuration" in README for how to
enable remote logging in LKRG.
Please read below about the userspace tools to support LKRG remote logging.
Build requirements and building
-------------------------------
The build requirements for the userspace tools are a subset of what's needed to
build LKRG itself. Currently, it's just GNU make and GCC. You can build the
tools by simply running "make" in the "logger" directory, e.g. like this:
make -C logger -j8
This will build three programs described below.
Installation
------------
To install the programs on the system globally, run:
sudo make install
On systems with systemd, this also installs, but does not yet enable, a systemd
unit file for lkrg-logger.
Uninstalling
------------
Similarly to installation, you can uninstall these programs and the systemd
unit file with:
sudo make uninstall
lkrg-keygen
-----------
Run this program once to obtain a public/secret keypair, which it prints as:
LKRG_LOGGER_PK=64hexdigitshere
LKRG_LOGGER_SK=64hexdigitshere
Use the 64 digits from LKRG_LOGGER_PK as value for LKRG's net_server_pk module
parameter. Use the line LKRG_LOGGER_SK= including the 64 digits to set an
environment variable of this name for lkrg-logger.
lkrg-logger
-----------
This is the receiving and logging userspace daemon. Currently, it is to be set
up and started via systemd like this:
useradd -r lkrg-logger -d / -s /sbin/nologin
mkdir /var/log/lkrg-logger
chown lkrg-logger: /var/log/lkrg-logger
umask 077
lkrg-keygen > /etc/lkrg-logger.conf
systemctl enable lkrg-logger
systemctl start lkrg-logger
or instead of the last 4 commands above, started manually as root like this:
LKRG_LOGGER_SK=64hexdigitshere lkrg-logger
Per-client log files will appear in the log directory once client connections
encrypting to the right public key arrive. The filenames correspond to each
client's IPv4 address as seen by the server.
lkrg-logctl
-----------
A tool to process one lkrg-logger output file. This program currently derives
each event's ISO timestamp from several recorded relative timestamps.